Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake XP Security Center/XP Smart Security Malware


  • This topic is locked This topic is locked
14 replies to this topic

#1 Kyle26

Kyle26

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 13 April 2010 - 09:19 AM

I have the fake XP Security Center malware. I'm constantly prompted that I have a security risk/threat/virus that needs immediate fixing and/or registration for a free scan in order to save my computer. I've run Malwarebytes about 4 times. Each time it finds some things and removes them, my computer seems clean after restart, but by the next day or so the alerts and pop-ups are back. Here is my Hijack This log and thank you very much for taking the time to help me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:56 AM, on 4/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ahephrwe] C:\Documents and Settings\Kyle\Local Settings\Application Data\srgvde\nlmysftav.exe
O4 - HKLM\..\Run: [klnrfktc] C:\Documents and Settings\Kyle\Local Settings\Application Data\qoggev\ycbbsftav.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ahephrwe] C:\Documents and Settings\Kyle\Local Settings\Application Data\srgvde\nlmysftav.exe
O4 - HKCU\..\Run: [klnrfktc] C:\Documents and Settings\Kyle\Local Settings\Application Data\qoggev\ycbbsftav.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9405 bytes


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:22 AM

Posted 17 April 2010 - 09:17 PM

Hello Kyle26 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 19 April 2010 - 08:43 AM

    Thank you!




    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Kyle at 9:46:12.09 on Sun 04/18/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.390 [GMT -7:00]

    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Documents and Settings\Kyle\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.dell4me.com/myway
    mStart Page = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
    uRun: [ahephrwe] c:\documents and settings\kyle\local settings\application data\srgvde\nlmysftav.exe
    uRun: [klnrfktc] c:\documents and settings\kyle\local settings\application data\qoggev\ycbbsftav.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ahephrwe] c:\documents and settings\kyle\local settings\application data\srgvde\nlmysftav.exe
    mRun: [klnrfktc] c:\documents and settings\kyle\local settings\application data\qoggev\ycbbsftav.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kyle\applic~1\mozilla\firefox\profiles\j6esr8jx.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - gmail.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - plugin: c:\documents and settings\kyle\application data\move networks\plugins\npqmp071502000008.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    FF - user.js: browser.sessionstore.resume_from_crash - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-27 340592]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-17 130424]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2008-9-29 19456]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-9-29 143088]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-9-29 62800]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-1-27 67904]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-28 24652]
    R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [2005-9-15 375936]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-27 90360]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-27 42424]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-1-27 64432]

    =============== Created Last 30 ================

    2010-04-14 10:03:54 204 ----a-w- c:\windows\system32\MRT.INI
    2010-04-13 14:18:47 0 d-----w- c:\program files\Trend Micro
    2010-04-13 03:06:41 0 d-----w- c:\program files\TrendMicro
    2010-04-11 19:05:30 0 ----a-w- c:\documents and settings\kyle\;;
    2010-04-07 03:27:10 0 d-----w- c:\docume~1\kyle\applic~1\Juniper Networks
    2010-04-07 03:26:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Juniper Networks
    2010-04-03 21:00:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

    ==================== Find3M ====================

    2010-04-15 00:02:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-04-15 00:02:24 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
    2010-04-14 23:34:22 319792 ----a-w- c:\program files\uTorrent.exe
    2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
    2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
    2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
    2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-02-26 05:43:57 667136 ------w- c:\windows\system32\dllcache\wininet.dll
    2010-02-26 05:43:57 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
    2010-02-26 05:43:55 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
    2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-02-26 05:43:54 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
    2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
    2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
    2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
    2010-02-11 04:13:12 46380 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-10 01:00:55 411368 ----a-w- c:\windows\system32\deploytk.dll

    ============= FINISH: 9:47:55.06 ===============




    *Unchecked Registry and Files*


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-19 06:42:19
    Windows 5.1.2600 Service Pack 3
    Running: q6mvd26w.exe; Driver: C:\DOCUME~1\Kyle\LOCALS~1\Temp\fwrcyaoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73F8506]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73E7240]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73E7432]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73F8CC8]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73F8F88]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73F73EC]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73F93EC]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73F87B8]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF73E6EF0]

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF729C1CE]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF729C13A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF729C124]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF729C150]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF729C20E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF729C17C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF729BFE4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF729BFF8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF729C1E2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF729C1B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF729C10E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF729C0F8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF729C1A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF729C190]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF729C060]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF729C04C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF729C166]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF729C224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF729C1F8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 870FDD6B

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    Attached Files



    #4 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 19 April 2010 - 10:59 AM

    Showing signs of infection.



    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #5 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 19 April 2010 - 10:29 PM

    ComboFix 10-04-18.04 - Kyle 04/19/2010 20:03:10.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.556 [GMT -7:00]
    Running from: c:\documents and settings\Kyle\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\NetworkService\Local Settings\Application Data\MSASCui.exe

    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty had a snack tongue.gif
    .
    ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
    .

    2010-04-13 14:18 . 2010-04-13 14:18 -------- d-----w- c:\program files\Trend Micro
    2010-04-13 03:06 . 2010-04-13 03:06 388096 ----a-r- c:\documents and settings\Kyle\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-04-13 03:06 . 2010-04-13 03:06 -------- d-----w- c:\program files\TrendMicro
    2010-04-08 06:17 . 2010-04-08 06:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-04-08 06:16 . 2010-04-08 06:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-04-07 03:28 . 2010-04-07 03:28 161632 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-04-07 03:27 . 2009-08-12 22:07 548864 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\Microsoft.VC80.CRT\msvcp80.dll
    2010-04-07 03:27 . 2010-04-07 03:27 291696 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-04-07 03:27 . 2010-04-07 03:27 36948 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\setup\uninstall.exe
    2010-04-07 03:27 . 2010-04-07 03:28 -------- d-----w- c:\documents and settings\Kyle\Application Data\Juniper Networks
    2010-04-07 03:26 . 2010-04-07 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
    2010-04-06 08:20 . 2010-04-06 08:20 -------- d-s---w- c:\documents and settings\LocalService\UserData
    2010-04-06 04:55 . 2010-04-06 04:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-04-06 02:48 . 2010-04-06 02:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
    2010-04-05 11:32 . 2010-04-05 11:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-04-05 09:19 . 2010-04-05 09:19 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-04-03 21:00 . 2010-04-20 02:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-22 13:55 . 2010-03-22 13:55 -------- d-----w- c:\documents and settings\Kyle\Local Settings\Application Data\qoggev

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-20 02:30 . 2009-01-30 14:05 -------- d-----w- c:\documents and settings\Kyle\Application Data\HPAppData
    2010-04-19 05:15 . 2009-01-28 14:52 -------- d-----w- c:\documents and settings\Kyle\Application Data\uTorrent
    2010-04-15 00:02 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-04-14 23:34 . 2009-01-28 14:57 319792 ----a-w- c:\program files\uTorrent.exe
    2010-03-09 11:09 . 2004-08-19 20:49 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-01 15:00 . 2010-03-01 14:59 -------- d-----w- c:\program files\iTunes
    2010-03-01 15:00 . 2010-03-01 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2010-03-01 14:59 . 2010-03-01 14:59 -------- d-----w- c:\program files\iPod
    2010-03-01 14:59 . 2009-01-28 14:28 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-01 14:54 . 2009-11-17 04:10 -------- d-----w- c:\program files\QuickTime
    2010-03-01 14:44 . 2010-03-01 14:44 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-02-26 05:43 . 2004-08-19 20:49 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-02-26 05:43 . 2004-08-19 20:49 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-02-24 13:11 . 2005-09-15 14:53 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-16 14:08 . 2004-08-19 20:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2004-08-04 03:59 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
    2010-02-16 02:32 . 2009-01-28 04:03 51176 ----a-w- c:\documents and settings\Kyle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-12 04:33 . 2004-08-19 20:49 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2004-08-19 20:49 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-11 04:13 . 2010-02-11 04:13 46380 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-10 01:01 . 2010-02-10 01:01 348160 ----a-w- c:\documents and settings\Kyle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7adedc2e-n\msvcr71.dll
    2010-02-10 01:01 . 2010-02-10 01:01 503808 ----a-w- c:\documents and settings\Kyle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7adedc2e-n\msvcp71.dll
    2010-02-10 01:01 . 2010-02-10 01:01 499712 ----a-w- c:\documents and settings\Kyle\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7adedc2e-n\jmc.dll
    2010-02-10 01:01 . 2010-02-10 01:01 61440 ----a-w- c:\documents and settings\Kyle\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3b37adee-n\decora-sse.dll
    2010-02-10 01:01 . 2010-02-10 01:01 12800 ----a-w- c:\documents and settings\Kyle\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3b37adee-n\decora-d3d.dll
    2010-02-10 01:00 . 2009-02-03 16:29 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-02-01 05:00 . 2010-02-01 05:00 934960 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\AVManagerUnified.dll
    2010-02-01 05:00 . 2010-02-01 05:00 93232 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\CAntiVirusCOM.dll
    2010-02-01 05:00 . 2010-02-01 05:00 46640 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\Impl_AntivirusLib.dll
    2010-02-01 05:00 . 2010-02-01 05:00 37936 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\OPSWATProcessesScanner.dll
    2010-02-01 05:00 . 2010-02-01 05:00 34352 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\CFireWallCOM.dll
    2010-02-01 05:00 . 2010-02-01 05:00 297520 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\OESISCore.dll
    2010-02-01 05:00 . 2010-02-01 05:00 18992 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\Impl_SoftwareProductLib.dll
    2010-02-01 05:00 . 2010-02-01 05:00 176688 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\FWManager.dll
    2010-02-01 05:00 . 2010-02-01 05:00 14384 ----a-w- c:\documents and settings\Kyle\Application Data\Juniper Networks\Host Checker\Impl_FirewallLib.dll
    2008-09-29 16:07 . 2009-01-28 04:37 22576 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
    "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "P17Helper"="P17.dll" [2004-06-10 60928]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-09-15 26112]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-12 113664]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/17/2009 11:20 AM 130424]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 9:07 AM 19456]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/27/2009 9:37 PM 67904]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/28/2009 7:15 AM 24652]
    R3 Angel;Angel MPEG Device;c:\windows\system32\drivers\Angel.sys [9/15/2005 7:54 AM 375936]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/27/2009 9:37 PM 64432]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dell4me.com/myway
    mStart Page = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    FF - ProfilePath - c:\documents and settings\Kyle\Application Data\Mozilla\Firefox\Profiles\o2rf06e9.default\
    FF - plugin: c:\documents and settings\Kyle\Application Data\Move Networks\plugins\npqmp071502000008.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-ahephrwe - c:\documents and settings\Kyle\Local Settings\Application Data\srgvde\nlmysftav.exe
    HKCU-Run-klnrfktc - c:\documents and settings\Kyle\Local Settings\Application Data\qoggev\ycbbsftav.exe
    HKLM-Run-ahephrwe - c:\documents and settings\Kyle\Local Settings\Application Data\srgvde\nlmysftav.exe
    HKLM-Run-klnrfktc - c:\documents and settings\Kyle\Local Settings\Application Data\qoggev\ycbbsftav.exe
    AddRemove-HijackThis - c:\documents and settings\Kyle\My Documents\Downloads\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-19 20:10
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-04-19 20:12:36
    ComboFix-quarantined-files.txt 2010-04-20 03:12

    Pre-Run: 81,919,053,824 bytes free
    Post-Run: 82,079,043,584 bytes free

    - - End Of File - - A8A1E5EACA659776EC31BD33433FA11B


    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 19 April 2010 - 11:12 PM

    Let's try to run Kaspersky now:



    It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



    Please perform a scan with Kaspersky Online Virus Scanner.
    -- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
    -- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
    • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
    • Read the "Advantages - Requirements and Limitations" then press the ... button.
    • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
    • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
    • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
      • Detect malicious programs of the following categories:
        Viruses, Worms, Trojan Horses, Rootkits
        Spyware, Adware, Dialers and other potentially dangerous programs
      • Scan compound files (doesn't apply to the File scan area):
        Archives
        Mail databases
    • Click on My Computer under the Scan section. OK any warnings from your protection programs.
    • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
    • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
    • Click on Save Report As... and change the Files of type to Text file (.txt)
    • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
    • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
    -- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 20 April 2010 - 07:18 PM

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, April 20, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, April 20, 2010 03:04:56
    Records in database: 3947469
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 79759
    Threats found: 2
    Infected objects found: 4
    Suspicious objects found: 0
    Scan duration: 02:58:08


    File name / Threat / Threats count
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\41\6aa23129-4f180282 Infected: Exploit.Java.CVE-2009-3867.a 1
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-36f8b60c Infected: Trojan-Downloader.Java.Agent.br 3

    Selected area has been scanned.


    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 20 April 2010 - 08:21 PM

    We'll clean out the Java cache to get rid of those entries in the Kaspersky scan:

    Link for info is:


    http://support.f-secure.com/enu/home/virus...javacache.shtml





    Please uninstall older version of Adobe Reader before installing the latest version

    * Click Start
    * Control Panel
    * Double clicking on Add/Remove Programs
    * Locate older version of Adobe Reader and click on Change/Remove to uninstall it
    * Click HERE to download the latest version of Adobe Acrobat Reader.
    * Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
    * Close your Internet browser and open it again.





    Although your version of Java is not that old the newer version has some security patches it is important to have so let's update it too. Let me know when you have completed all of this.




    Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the "Download JRE" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
    • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
    -- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 21 April 2010 - 09:03 AM

    Both programs have been installed. Thanks!

    #10 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 21 April 2010 - 10:18 AM

    Should have asked you last time but is everything running OK? If it is we will uninstall our tools and finish up in the next post.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #11 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 21 April 2010 - 06:47 PM

    Yes everything seems to be running fine. THanks

    #12 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 21 April 2010 - 10:34 PM

    Sounds great! We'll close up now.


    Uninstall Combofix
    • Press the Windows Key + R on your keyboard.
    • Now copy & paste the green bolded text in the run-box and click OK.

      ComboFix /Uninstall

      <Notice the space between the "x" and "/".>

    • The following will implement some very important cleanup procedures as well as reset System Restore points.




    You can go ahead and delete GMER and DDS now if they are still on your desktop.







    Below are some steps to follow in order to dramatically lower the chances of reinfection
    You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
      Go here to check for & install updates to Microsoft applications
      Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
    2. Keep your non-Microsoft applications updated as well
      Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
    3. Make Internet Explorer more secure
      Click Start > Run
      Type Inetcpl.cpl & click OK
      Click on the Security tab
      Click Reset all zones to default level
      Make sure the Internet Zone is selected & Click Custom level
      In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    4. Install SpywareBlaster & make sure to update it regularly
      SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
      If you don't know what activex controls are, see here
      You can download SpywareBlaster from here
    5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




    If you have any other questions or issues feel free to ask as I will be checking back on this topic.



    Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


    thewall
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #13 Kyle26

    Kyle26
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:03:22 AM

    Posted 23 April 2010 - 08:49 AM

    Everything looks good to go. Thank you so much for your time.

    #14 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 23 April 2010 - 10:06 AM

    You're welcome. Glad I could be of help. smile.gif
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:05:22 AM

    Posted 24 April 2010 - 12:27 PM

    Since this issue appears to be resolved ... this Topic has been closed.

    If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

    Everyone else please begin a New Topic.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users